Upgrading Notes ##

The FulltextSearchable default configuration includes all file names in the assets/ folder.
While this is desired in most cases, it can lead to unexpected public visibility of data,
e.g. when uploaded through users. For example, CVs uploaded to a recruiting site most likely shouldn't be searchable.

Option 2: Exclude file search from individual files by setting the File.ShowInSearch database property to 0.
This property has been added in the 2.4.6 release. You can apply this retroactively to all files with this SQL statement:

UPDATE `File` SET `ShowInSearch` = 0;

Please note that all these files are still exposed through the webserver if the path is known,
regardless of the ShowInSearch setting. To fully secure uploaded files,
you can apply protection on a webserver level (e.g. .htaccess/web.config configuration).
Alternatively, you can proxy these files through your own permission control system
rather than exposing them directly through the webserver (e.g. with the "securefiles" module).

One common way to allow user-uploaded files is the "userforms" module. This module has been altered to mark all uploaded files with ShowInSearch=0 by default.

Security: Cross-site scripting (XSS) on anchor links

Anchor links (<a href="#">) are automatically rewritten by the SilverStripe
template parser to work with the <base> tag, which is a prerequisite for the framework.
This applies to all links passed through SSViewer::process() with the 'rewriteHashlinks' option enabled,
which is the framework default. Most commonly, these links will be created through the "Content"
field in the CMS, but any links inserted through template placeholders are vulnerable.
Modern browsers automatically fix basic XSS attacks through built-in XSS filters,
the vulnerability has only been confirmed in Internet Explorer 6 and 7 so far.

When upgrading to this SilverStripe version, please ensure to flush all template caches
by using the dev/build/?flush=all URL.

Thanks to Michael Best and Stefan Schurtz for reporting.

Security: Possible SQL injection for MySQL when using far east character encodings

MySQL databases with a client set to certain far east encodings (SJIS, BIG5, GBK, GB18030, and UHC)
can be vulnerable to SQL injections through usage of the
deprecated [addslashes()](http://php.net/addslashes) method.
These character sets are not supported by SilverStripe,
and not a default setting for MySQL - so its unlikely that you're affected.

By default, any 2.4.x installation sets the connection character set
to UTF-8, which doesn't have this vulnerability. Please check that
you have the following command in your _config.php:
MySQLDatabase::set_connection_charset('utf8').
If this value isn't set, the default encoding in MySQL will apply
(which is usually "latin-1" or "ISO 8859-1", so not a vulnerable multibyte character set).

See shiflett.org
for further details on the exploit. Thanks to Tim Spencer for reporting.

Only applicable if any page allows comments (through the SiteTree.ProvideComments attribute),
and SilverStripe is of version 2.4.x (the feature wasn't present in 2.3, and has been extracted from trunk).
The PageCommentInterface_Form->postcomment() method stores user data for re-submission
through cookies (in case the first submission fails due to a validation error).
The data is stored via serialize()/unserialize(), making it potentially vulnerable
to improper method invocation or property injection. While we are not aware
of any active vulnerabilities, the serialization has been replaced with a more secure JSON format.

Thanks to Tim Klein for reporting.

Note: The commenting functionality has been moved to a new "comments" module in trunk,
which has the same bugfixes applied.

2011-02-02 590dbb5 Made it possible to attach utility links to a ComplexTableField beyond just exporting (e.g. printing). (ajshort)

Bugfixes

2011-10-17 16c3235 Escaping base URLs for anchor links rewritten by SSViewer::process() with the 'rewriteHashlinks' option enabled (which is a framework default, and necessary because of the use of a <base> tag). Also added escaping for base URLs rendered through the 'php' variation of 'rewriteHashlinks' (Ingo Schommer)